Custom OIDC token data : passing metadata to "Generate a Signed ID (OIDC) Token"

I had an itch to scratch - I wanted to create an oidc token with some “custom” data. I looked at the templating option on the oidc role, but it only allowed entity metadata to be used.

So, I fired up vscode, figured out where I should hack the code (this is my first time writing any go code) and added a parameter to the method call.

if you pass this parameter in, it overwrites the entity metadata, so you can now access whatever custom fields you want in the template

So, if I now write an oidc role with this

vault write identity/oidc/role/foo_role key=foo template="{\"myfoo\":{{identity.entity.metadata.somefoobar}}}"

and then generate a token like so

vault read identity/oidc/token/foo_role metadata=somefoobar=this_is_custom_data

I get a token that decodes to this


{
  "aud": "f8NhA8DxKVhJz31TdkHwuU2iSh",
  "exp": 1630626558,
  "iat": 1630540158,
  "iss": "http://0.0.0.0:54321/v1/identity/oidc",
  "myfoo": "this_is_custom_data",
  "namespace": "root",
  "sub": "9586e035-1bb7-b9de-a1c6-a7095d7de1d2"
}

notice the “myfoo” key :slight_smile:

if this would be useful to someone, I could post a pull request

1 Like

I could see that being useful, nice work!

Something similar might be useful for using templates in allowed_parameters (and other fields) within policies: Policies for policies - #7 by HelenCousins